Did IDG Bet $1,000 That Acunetix Can’t Steal Credit Cards From Random Websites?

Thomas Ptacek | February 14th, 2007 | Filed Under: Industry Punditry, Uncategorized

Hysterical.

Second-tier web security scanner vendor Acunetix releases a survey, concluding that 70% of all web applications are “hackable”. On the one hand: surveys are the ultimate in lazy, content-free marketing; every bored or boring marketing team does them, and none of them mean anything. On the other hand, even a stopped clock, etc, etc: most people in the trenches would say 70% is a lowball estimate.

But Paul McNamara, editor at IDG’s Network World, doesn’t think so. To him, it sounds “apocalyptic”. So he forwards the survey to his “go-to guy on all security matters”, Network World product reviewer Joel Snyder. Snyder picks up the bat-phone, listens, and responds, “let’s take their list of 3,200 sites, pick 10 at random, and see if they can steal sensitive data from the sites”.

Snyder: “I’ll bet $1,000 they can’t steal personal data from three of them.”

Let’s add some context, from the Acunetix press release, which McNamara and Snyder have both read:

Since January 2006, Acunetix has been offering a free automated web scan for qualifying websites. Out of a total of 10,000 applications, Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.

So, Acunetix has no formal, ongoing business relationship with these sites. And Snyder and McNamara —- who is, again, an editor at IDG publication Network World magazine, which you can contact at (508) 460-3333 —- think the best way Acunetix can “back up” this superficial survey is for them to break in to a random selection of 10 of these companies. It’s such a sensible idea that Snyder will put up $1,000 of his own money to see them do it.

But, don’t worry: McNamara is being careful with the “ground rules” of this wager. They’ll need to work out the details with Acunetix, because McNamara is biased. “But the basics would be that an employee of the company would need to get valuable personal information - like a credit card or social security number, not an e-mail or home address - from at least three of a random 10 of those 3,200 sites they tested.” Credit cards and social security numbers.

Acunetix responds:

We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World Web site, rather then - as Mr. Snyder suggested - an innocent third-party Web site. After all, making a wager with someone else’s Web site would be unfair, and furthermore illegal.

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder’s comments, Network World is confident that its Web site is secure and any data it holds is unbreachable.

Oh, it’s on now. IDG is not a small company. They gross over a billion dollars a year, comparable to the largest software vendors, larger by contrast than any independent information security company, publicly traded or otherwise. All their sites should be fair game. Their publications include Computer World, CIO Magazine, CSO Magazine, InfoWorld, PC World, and MacWorld. They have major operations in Western Europe, Eastern Europe, South America, China, and Japan. Major market research firm IDC belongs to IDG. I propose we take a random sampling of 10 of those sites. I propose we get IDG management to back up what their editors publish under IDG masthead, and allow Acunetix to complete this “wager” against their own properties.

I think McNamara is going to have absolutely no problem finding qualified third-party referees. And of course, for whatever it’s worth, we volunteer.

Viewing 4 Comments

    • ^
    • v
    "On the other hand, even a stopped clock, etc, etc: most people in the trenches would say 70% is a lowball estimate."

    My sentiments exactly.

    I happen to agree with the point Snyder is trying to make, which is that there's a disconnect between scanner findings, app-level vulnerabilities, and actual data booty - a point that is missing from Acunetix marketing stunt for obvious reasons. But in trying to stunt on their stunt, he's let himself get backed into a corner, and the outlook's not good. Either he backs off, or he and McNamara are going to be in hot water with IDG's CISO and legal team. This will be a fun one to watch.
    • ^
    • v
    I think it is actually worse than that. While I am sure they were just loose with language, by offering money to have Acunetix break into someone's website to retrieve credit card information, I am reasonably sure they have committed an illegal act themselves. Of course, I am not a lawyer...
    • ^
    • v
    If Acunetix doesn't win, can I get 1k if I binary patch it to find the required criteria? I don't use web application vulnerability scanners, but I know for certain that it is capable of finding this sort of information very easily. I have seen plenty of these exact findings from people using SPI and Appscan...

    If Acunetix does win, I suggest they call the FCC and have them fine IDG to a tune of a few hundred thousand to million dollars for allowing personal information to be stolen from their website.
    • ^
    • v
    Did anyone realise that Network World deliberately removed postings of Acunetix from its website?

    True they are a vendor but isn't this beyond journalism, our right to know what is truely happening and the constitutional right to free speech?

    Network World have lost a loyal customer and Acunetix have gained a new one!

    http://www.acunetix.com/news/acunetix_reveals_d...

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus